Posts navigation

Introduction to ISO 27001

As the cyber security journey continues, I’ve been inevitably caught in the net of ISO 27001. As one of the most globally accepted frameworks for information security, its inevitable that those working in cyber security will end up working with it, in it or on it.

I’ve put this together as a simple guide aimed at assisting those going for the first (and lowest) ISO 27001 certification: ISO27001 Foundation.

What is the ISO?

Before I get in to the 27001 framework, I thought it best to discuss the organisation behind it. The ISO is a truly international organisation which helps to define globally accepted standards for everything from children’s toys to cyber security standards.

What is ISO 27001?

ISO 27001 is a framework designed to assist in the management of information security within an organisation and to create an Information Security Management System (ISMS). It is not prescriptive in terms of what an organisation should do, for example it will not state ‘backups should be performed daily’ as there is no ‘one-size fits all’ methodology for security and resilience. Instead ISO 27001 provides guidance for organisations to define their own suitable requirements and then requires these are adhered to in order to maintain ISO 27001 compliant status.

That’s great but what is it?

The ISO 27001 is a documented standard, broken down in to eleven sections, the first four of which are introductory with the remaining seven being mandatory requirements for an organisation to be compliant. The sections are:

Section 0: Introduction

Section 1: Scope

Section 2: Normative references

Section 3: Terms and definitions

Section 4: Context of the organisation

Section 5: Leadership

Section 6: Planning

Section 7: Support

Section 8: Operation

Section 9: Performance evaluation

Section 10: Improvement

Finally, there is Annex A which is a catalogue of controls that can be used.